Europe’s PSD2 Promises to Transform Payment ServicesARTICLE

The EU Payment Services Directive 2 (PSD2) is a regulatory initiative expected to usher in sweeping changes to B2B and consumer payment services, including cross-border payments.

PSD2 is designed to increase competition and promote innovation in financial services, increase online payment security, add consumer protections, and reduce the cost of payments.¹ Among the key requirements: banks must provide ways for other companies to access customer account information, with the customers’ consent. This is expected to pave the way for new payment services and financial information services.²

Notably, PSD2’s reach extends to so-called “one-leg transactions,” cross-border payments between EU and non-EU countries in which only one of the multiple payment service providers involved is in the EU.³ PSD2 becomes applicable in EU member countries in January 2018, although financial service providers will have longer to implement some of the detailed technical specifications.⁴

EU Payment Services Directives Aim to Increase Innovation and Competition

As its name suggests, PSD2 is the second EU Payment Services Directive aimed at improving payment services across Europe. The first, in 2007, was designed to make cross-border payments as easy, efficient and secure as national payments within a single EU country.⁵ Among other achievements, the directive facilitated the implementation of the Single Euro Payments Area (SEPA), which supports fast cross-border payments in euros between EU countries.⁶

PSD2 extends and updates the original directive, focusing on areas including encouraging competition and innovation among payment services providers as well as e-commerce security.⁷

PSD2 Opens Bank Data to Payment Services

PSD2 requires banks in the EU to open up customer account information to other companies, with prior customer approval (this is commonly referred to as XS2A, for “access to account”). Banks are expected to provide this access via application programming interfaces (APIs).^8,9

The access is designed to facilitate two types of third-party payment service provider: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). Both types of service already exist, but PSD2 licenses and regulates them on a Europe-wide basis for the first time, removing national barriers for licensed providers and allowing them to offer services across Europe.¹⁰ The European Commission says this is likely to increase competition, with new players and lower-cost payments.¹¹ Under the PSD2 regime, existing and new providers of these services will need to apply for authorization in order to operate within the EU, the Commission says.¹²

PISPs offer services that let users make payments; the PISPs access the users’ bank accounts to obtain the required funds. Some experts say that this capability may allow e-commerce retailers and other websites to act directly as payment providers, so they can let customers pay for goods without establishing a direct relationship with the customer’s bank.^13,14

AISPs offer services such as the ability to view consolidated information from multiple bank accounts, so customers can more easily analyze their total spending patterns and other financial activity across multiple providers.¹⁵

PSD2 Payment Security Requirements

PSD2 mandates a high level of security (Strong Customer Authentication, or SCA) in payment services, especially for online and mobile (card-not-present) payments. There are exemptions for certain types of payment, such as some smaller and repeating payments. According to the European Payments Council, PSD2 requires at least two of the following elements to be used for any transaction: something only the user knows (such as a password); something the user possesses (such as a credit or debit card); and something inherent to the user such as a fingerprint or voice recognition.¹⁷

The directive specifies an additional requirement for online and mobile payments, according to the Council: a unique authorization code that dynamically links the transaction to a specific amount and payee.¹⁸

Other aspects of PSD2 aim to increase consumer protection by prohibiting certain payment surcharges, limiting liability and ensuring payment refunds where appropriate.¹⁹

Broader Geographic Reach

While the previous PSD regulations focused on payments taking place entirely within Europe, PSD2 extends the geographic scope to include payments between EU nations and countries outside the EU, involving transfers between a Europe-based bank or other payment provider and one or more financial-services organizations located in other countries such as the U.S.²⁰ A Deutsche Bank analysis emphasizes that the PSD requirements apply only to the part of the transaction that is carried out within the EU.²¹

PSD2 Schedule

PSD2 becomes applicable in EU member states in January 2018. However, the detailed Regulatory Technical Standards (RTS) that define security and other requirements do not become applicable until 18 months after adoption. As of July 2017, the RTS were still being finalized.^22,23 The SCA portion of PSD2 is expected to go into force around April 2019, and details of the implementation are subject to ongoing evolution.²⁴

The Takeaway

Over time, PSD2 is expected to drive sweeping changes in cross-border payment services throughout Europe, potentially enabling innovative new solutions as well as lower costs.